Page MenuHomePhabricator
Create Task
Maniphest T119100

Increase MinimalPasswordLength to 8 for several local and global groups
Closed, ResolvedPublic
Actions

Description

Per https://en.wikipedia.org/wiki/Wikipedia:Security_review_RfC, it seems like the admins mostly all agree to "Length increase to 8 bytes".

Initially, we will not set a minimum password length to login (which prevents logins for accounts with shorter passwords), so users in these groups, if they have a password shorter than 8, will still be logged in, but will be prompted to change their password every time they login.

Details

SubjectRepoBranchLines +/-
Enforce password policies on labsoperations/mediawiki-configmaster+61 -0
Password policies for advanced permission groupsoperations/mediawiki-configmaster+73 -7
Set password policy for enwiki sysopsoperations/mediawiki-configmaster+28 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

csteipp created this task.Nov 19 2015, 5:55 PM
csteipp claimed this task.
csteipp raised the priority of this task from to High.
csteipp updated the task description. (Show Details)
csteipp added projects: Security-Team, WMF-NDA, Wikimedia-Site-requests, acl*security.
csteipp changed the visibility from "Public (No Login Required)" to "Custom Policy".
csteipp changed the edit policy from "All Users" to "Custom Policy".
csteipp added subscribers: Krenair, Jalexander, csteipp, Matanya.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 19 2015, 5:55 PM
csteipp mentioned this in T121186: Implement results of enwiki Security review RfC.Dec 11 2015, 2:05 AM
csteipp renamed this task from Increase MinimalPasswordLength for enwiki sysops to 8 to Increase MinimalPasswordLength to 8 for local enwiki groups: sysops, bureaucrat, steward, and founder.Dec 11 2015, 2:08 AM
csteipp updated the task description. (Show Details)
csteipp changed the visibility from "Custom Policy" to "Public (No Login Required)".
csteipp changed the edit policy from "Custom Policy" to "All Users".
csteipp set Security to None.
Restricted Application added a subscriber: Dereckson. · View Herald TranscriptDec 11 2015, 2:08 AM
csteipp added a parent task: T121186: Implement results of enwiki Security review RfC.Dec 11 2015, 2:08 AM
Bawolff subscribed.EditedDec 11 2015, 2:21 AM

steward and founder are of course global groups. (T104371)

csteipp added a comment.Dec 11 2015, 2:34 AM

steward and founder are of course global groups. (T104371)

There is a local 'steward' and 'founder' group as well, although it looks like steward has no members, and founder only has one user, predictably.

The global stewards have agreed to raise their policy as well.

Krenair added a comment.Dec 11 2015, 2:45 AM

local steward is used to get around T14518

Kharkiv07 subscribed.Dec 13 2015, 4:16 PM
csteipp added a parent task: T122248: Password/login related security issues (Tracking).Dec 22 2015, 10:04 PM
Krenair moved this task from Backlog to External on the Wikimedia-Site-requests board.Jan 14 2016, 2:32 PM
Restricted Application added subscribers: JEumerus, Luke081515. · View Herald TranscriptJan 14 2016, 2:32 PM
Bawolff added a comment.Jan 22 2016, 11:31 AM

per https://meta.wikimedia.org/wiki/Requests_for_comment/Password_policy_for_users_with_certain_advanced_permissions we need to do this everywhere, not just enwiki

Bawolff renamed this task from Increase MinimalPasswordLength to 8 for local enwiki groups: sysops, bureaucrat, steward, and founder to Increase MinimalPasswordLength to 8 for several local and global groups.Jan 22 2016, 11:32 AM
MarcoAurelio subscribed.Jan 30 2016, 4:22 PM
gerritbot subscribed.Feb 23 2016, 2:26 AM

Change 272660 had a related patch set uploaded (by CSteipp):
Password policies for advanced permission groups

https://gerrit.wikimedia.org/r/272660

gerritbot added a project: Patch-For-Review.Feb 23 2016, 2:26 AM
csteipp moved this task from Incoming to In Progress on the Security-Team board.Feb 23 2016, 6:38 PM
gerritbot added a comment.Mar 10 2016, 5:54 PM

Change 276518 had a related patch set uploaded (by CSteipp):
Enforce password policies on labs

https://gerrit.wikimedia.org/r/276518

Restricted Application added a subscriber: Malyacko. · View Herald TranscriptMar 10 2016, 5:54 PM
gerritbot added a comment.Mar 15 2016, 4:40 AM

Change 251678 abandoned by CSteipp:
Set password policy for enwiki sysops

Reason:
Doing I9bf79e16d61b6e7aca89cd7bd05a8ce65685a8c2 instead

https://gerrit.wikimedia.org/r/251678

gerritbot added a comment.Mar 15 2016, 3:04 PM

Change 272660 merged by jenkins-bot:
Password policies for advanced permission groups

https://gerrit.wikimedia.org/r/272660

csteipp closed this task as Resolved.Mar 15 2016, 3:23 PM

With https://gerrit.wikimedia.org/r/272660, this is now enforced on all SUL sites

gerritbot added a comment.Jan 11 2017, 6:24 PM

Change 276518 abandoned by Reedy:
Enforce password policies on labs

Reason:
Dupe of productions, config already applied on beta

https://gerrit.wikimedia.org/r/276518

Wong128hk subscribed.Jun 29 2017, 12:12 PM
Liuxinyu970226 subscribed.Jul 17 2017, 4:43 AM
Liuxinyu970226 unsubscribed.
sbassett moved this task from In Progress to Our Part Is Done on the Security-Team board.Jun 11 2019, 6:05 PM
chasemp added a project: Security.Feb 10 2020, 10:55 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:15 PM
Zabe removed a project: Patch-For-Review.Jul 29 2021, 12:34 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL